Total
134 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-42903 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| A vulnerability in SAP Financial Service Claims Management RFC function ICL_USER_GET_NAME_AND_ADDRESS allows user enumeration and potential disclosure of personal data through response discrepancies, causing low impact on confidentiality with no impact on integrity or availability. | |||||
| CVE-2025-40806 | 1 Siemens | 1 Gridscale X Prepay | 2026-06-17 | N/A | 5.3 MEDIUM |
| A vulnerability has been identified in Gridscale X Prepay (All versions < V4.2.1). The affected application is vulnerable to user enumeration due to distinguishable responses. This could allow an unauthenticated remote attacker to determine if a user is valid or not, enabling a brute force attack with valid users. | |||||
| CVE-2025-3939 | 4 Blackberry, Linux, Microsoft and 1 more | 5 Qnx, Linux Kernel, Windows and 2 more | 2026-06-17 | N/A | 5.3 MEDIUM |
| Observable Response Discrepancy vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. | |||||
| CVE-2025-3716 | 2026-06-17 | N/A | N/A | ||
| User enumeration in ESET Protect (on-prem) via Response Timing. | |||||
| CVE-2025-3092 | 2026-06-17 | N/A | 7.5 HIGH | ||
| An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint. | |||||
| CVE-2025-34255 | 1 Dlink | 1 Nuclias Connect | 2026-06-17 | N/A | 5.3 MEDIUM |
| D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Forgot Password' endpoint returns distinct JSON responses depending on whether the supplied email address is associated with an existing account. Because the responses differ in the `data.exist` boolean value, an unauthenticated remote attacker can enumerate valid email addresses/accounts on the server. NOTE: D-Link states that a fix is under development. | |||||
| CVE-2025-34254 | 1 Dlink | 1 Nuclias Connect | 2026-06-17 | N/A | 5.3 MEDIUM |
| D-Link Nuclias Connect firmware versions <= 1.3.1.4 contain an observable response discrepancy vulnerability. The application's 'Login' endpoint returns distinct JSON responses depending on whether the supplied username is associated with an existing account. Because the responses differ in the `error.message`string value, an unauthenticated remote attacker can enumerate valid usernames/accounts on the server. NOTE: D-Link states that a fix is under development. | |||||
| CVE-2025-34155 | 2026-06-17 | N/A | N/A | ||
| Tibbo AggreGate Network Manager < 6.40.05 contains an observable response discrepancy in its login functionality. Authentication failure messages differ based on whether a supplied username exists or not, allowing an unauthenticated remote attacker to infer valid account identifiers. This can facilitate user enumeration and increase the likelihood of targeted brute-force or credential-stuffing attacks. | |||||
| CVE-2025-31124 | 1 Zitadel | 1 Zitadel | 2026-06-17 | N/A | 5.3 MEDIUM |
| Zitadel is open-source identity infrastructure software. ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". While the setting was correctly respected during the login flow, the user's username was normalized leading to a disclosure of the user's existence. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9. | |||||
| CVE-2025-30280 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.21.0), Mendix Runtime V10.12 (All versions < V10.12.16), Mendix Runtime V10.18 (All versions < V10.18.5), Mendix Runtime V10.6 (All versions < V10.6.22), Mendix Runtime V8 (All versions < V8.18.35), Mendix Runtime V9 (All versions < V9.24.34). Affected applications allow for entity enumeration due to distinguishable responses in certain client actions. This could allow an unauthenticated remote attacker to list all valid entities and attribute names of a Mendix Runtime-based application. | |||||
| CVE-2025-30150 | 1 Shopware | 1 Shopware | 2026-06-17 | N/A | 5.3 MEDIUM |
| Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found. This vulnerability is fixed in Shopware 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. | |||||
| CVE-2025-2910 | 2026-06-17 | N/A | N/A | ||
| User enumeration in the password reset module of the MeetMe authentication service in versions prior to 2024-09 allows an attacker to determine whether an email address is registered through specific error messages. | |||||
| CVE-2025-27451 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-06-17 | N/A | 5.3 MEDIUM |
| For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one. | |||||
| CVE-2025-25236 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks. | |||||
| CVE-2025-24980 | 1 Pimcore | 1 Admin Classic Bundle | 2026-06-17 | N/A | 5.3 MEDIUM |
| pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been addressed in version 1.7.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-24342 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| A vulnerability in the login functionality of the web application of ctrlX OS allows a remote unauthenticated attacker to guess valid usernames via multiple crafted HTTP requests. | |||||
| CVE-2025-24023 | 1 Dpgaspar | 1 Flask-appbuilder | 2026-06-17 | N/A | 3.7 LOW |
| Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3. | |||||
| CVE-2025-23214 | 2026-06-17 | N/A | N/A | ||
| Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. By monitoring the error code returned in the login, it is possible to figure out whether a user exist or not in the database. Patched in 0.17.7. | |||||
| CVE-2025-23193 | 1 Sap | 1 Sap Basis | 2026-06-17 | N/A | 5.3 MEDIUM |
| SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability. | |||||
| CVE-2025-1101 | 1 Q-free | 1 Maxtime | 2026-06-17 | N/A | 5.3 MEDIUM |
| A CWE-204 "Observable Response Discrepancy" in the login page in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enumerate valid usernames via crafted HTTP requests. | |||||